Docs Menu

Configure a Backup Compliance Policy

If you have strict data protection requirements, you can use Atlas Kubernetes Operator to enable a Backup Compliance Policy to protect your backup data.

Important

You Can't Disable a Backup Compliance Policy

After you enable a Backup Compliance Policy, you can't disable it without MongoDB support. To disable a Backup Compliance Policy, the security or legal representative specified for the Backup Compliance Policy must request support and complete an extensive verification process. Before you enable a Backup Compliance Policy, carefully review the prohibited actions and considerations. You can re-enable a Backup Compliance Policy at any time.

If you enable a Backup Compliance Policy, no user, regardless of role, can do certain actions. Carefully review the prohibited actions.

Important

If you set this parameter to true, Atlas upgrades all backup policies in the project regardless of what is specified in the AtlasBackupPolicy Custom Resource. Atlas overrides the AtlasBackupPolicy Custom Resource and the status of that custom resource updates to Ready: False. You must manually update the AtlasBackupPolicy Custom Resource to align with the Backup Compliance Policy.

If you set this parameter to false, creating the Backup Compliance Policy fails if the existing backup policies do not satisfy the Backup Compliance Policy.

After you enable a Backup Compliance Policy, certain behaviors apply. Carefully review the considerations.

To configure a Backup Compliance Policy, you must have Project Owner access to the project. Users with Organization Owner access must add themselves as a Project Owner to the project before configuring a Backup Compliance Policy.

  • Only MongoDB Support can do the following actions:

  • Only the specified security or legal representative can request support.

  • You can apply a Backup Compliance Policy to M10+ dedicated clusters only.

    Note

    You can't convert a dedicated cluster to an M0 Free cluster, an M2 or M5 Shared cluster, a Flex cluster, or a Serverless instance.

1

To learn more about the parameters for a Backup Compliance Policy, see the AtlasBackupCompliancePolicy Custom Resource.

Example:

cat <<EOF | kubectl apply -f -
apiVersion: atlas.mongodb.com/v1
kind: AtlasBackupCompliancePolicy
metadata:
name: my-backup-compliance-policy
namespace: mongdb-atlas-system
spec:
authorizedEmail: john.doe@example.com
authorizedUserFirstName: John
authorizedUserLastName: Doe
copyProtectionEnabled: false
encryptionAtRestEnabled: false
onDemandPolicy:
retentionUnit: weeks
retentionValue: 3
overwriteBackupPolicies: false
pointInTimeEnabled: true
restoreWindowDays: 42
scheduledPolicyItems:
- frequencyInterval: 2
frequencyType: daily
retentionUnit: days
retentionValue: 7
EOF

Note

This Backup Compliance Policy applies as the minimum backup policy to all clusters in the project. The Backup Compliance Policy protects all existing snapshots. The Backup Compliance Policy prevents any user, regardless of role, from modifying or deleting existing snapshots prior to their expiration. Changes made to this Backup Compliance Policy apply only to future snapshots. If you enable a Backup Compliance Policy, the Backup Compliance Policy limits your ability to reduce backup storage costs. You can't adjust the retention or delete a backup to reduce the backup storage costs.

2

In the spec.backupCompliancePolicyRef parameter in the AtlasProject Custom Resource, specify the name and namespace of the opaque secret that references the AtlasBackupCompliancePolicy Custom Resource.

Example:

cat <<EOF | kubectl apply -f -
apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
name: my-project
spec:
backupCompliancePolicyRef:
name: my-backup-compliance-policy
namespace: mongodb-atlas-system
EOF